The vApp user, ec2-user, can put sudo in front of any command and get access to everything including root shell.  I assume that we should not be able to do this.

For example, we can switch to root user (sudo su -)

We suspect it might be something to do with this file:

/etc/sudoers.d/90-cloud-init-users

# User rules for ec2-user

ec2-user ALL=(ALL) NOPASSWD:ALL

Release : 14.4

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Amazon Web Services  image only.

The root access for ec2-user is fixed in 14.4 CP2 (14.4.2). There are no backports planned for CP1.